WARNING: Using SELinux without knowing what you are doing may turn your system inoperable. So please do yourself a big favor and test everything on a non productive system.

I assume that you already got SELinux up and running. There are several good documentations out there to manage this. This How To just explains how you can easily use your SELinux in the so called "strict mode". This means, that every operation is forbidden by default. You have to allow everything through policies. I will teach you how to create such policies quite fast. I think this isn't the way it was meant to be used but for me it worked perfectly. So let's start.

Step 1: Running SELinux in permissive mode
Running SELinux in this mode enables your system to work normally. No action will be forbidden by SELinux but policy violations will be logged at different places. We will use these logs later to create our policies.

To check, if SELinux is already running in permissive mode you have to type this command

Code:

getenforce

This should reply with

Code:

Permissive

If this is the case you can jump to Step 2. If it is not you have to edit your

Code:

/etc/selinux/config

and edit this section to look like this:

Code:

SELINUX=permissive

If you had to change your config make sure to restart your system so that the changes will apply.

After reboot getenforce should result in Permissive.

Step 2: Let your SELinux learn!

Now you have to let your SELinux learn how your system behaves on different situations. The machine on which I installed SELinux was planned to be an FTP-Server soon. So i connected to it with Filezilla and tested everything I expected my users to do. So I created directories, renamed them etc. Every action you do like renaming is logged in the background by SELinux as a policy violation. Like I said before we will use these violations later to create our policies. This step took me about one week. But be careful! If an attacker breaks into your system through an exploit we would later permit this action! So be sure to check your /var/log/messages etc for suspicious entries.

Step 3: Creating our policies

Now we are ready to create our first policy. Policies are used to tell SELinux which actions should be allowed. We will use the tool audit2allow to create our policies. Like I said SELinux logs everything what happens on different places. In my case SELinux didn't save these messages in any logfile. So I had to grab everything directly from dmesg. This is done through the following command:

Code:

audit2allow -d -l >> ~/a2a

This creates a file called a2a in your current home directory. This file can be viewed or edited with an editor like vi or nano.

Code:

nano ~/a2a

Now you will see several entries which look like this on. We will create a policy for dmesg. Creating rules for other daemons or tools isn't harder

I personally preferred to create a directory under / called selinux-policies. For every daemon or tool I created a subfolder called for example "dmesg_t". This will help you later not to get confused. Just copy/paste this section above to a file called dmesg_t.te in the directory dmesg_t you just created. I'm sure you now will see how a policy looks like. Here you go:

dmesg
This is the name of your new policy. You should give it a meaningful name to make administration easier.

1.0.0
This is the version of your policy. Everytime I change something on my policy I increase the number by 1 (For example 1.0.1)

require {
type dmesg_t;
type file_t;
}

In this section you tell SELinux which types are used in this policy. It's not that hard to figure our which types are used. Just look down in the "#========"-Section. There you see for example dmesg_t and etc_t and file_t. Guess what... These are your types

This is your actual policy. Here you tell SELinux that it has to allow a file or process with the type dmesg_t to read or getattr(ibute) for files of the type etc_t. Most files in /etc are from this type.

Congratulations! You just created your first SELinux policy! Save it. Now it is time to compile it so that SELinux can use it.

Step 4: Compiling your policy

I assume that you are in the dmesg_t directory we created sooner in this How To. There your dmesg_t.te should be located. So let's compile it with the following command:

Code:

make -f /usr/share/selinux/strict/include/Makefile

If everything worked well there should now be a file called "dmesg.pp" in this directory. If your compiler threw out some errors just look at them. Mostly you just forgot a ";" or something like this. Now we can load our newly created policy with this command:

Code:

semodule -i dmesg.pp

Repeat Step 3 and 4 for every section in your a2a file we created.

Step 5: Test everything

Now you compiled every of your policies it is time to take it to the ultimate test. We now will set our SELinux in enforcing mode. This means that everything which wasn't allowed is not just logged but really forbidden. THIS MAY TURN YOUR SYSTEM TEMPORARLY INOPERABLE!
To turn your SELinux to enforcing mode just type

Code:

setenforce 1

Step 6: Troubleshooting

Hopefully everything will still work. If it is not don't get frustrated. You still can switch back to permissive mode.
To do this we first have to switch our role to sysadm_r.

Code:

newrole -r sysadm_r

You now will be asked for your root password. After doing this you can either just unload one of your policies or completely switch back to permissive mode.

Remove a policy:

Code:

semodule -r dmesg

This removes the policy named "dmesg" from SELinux.

Switch back to permissive mode:

Code:

setenforce 0

If these two solutions didn't help you out you just have to reboot your system. Maybe you have to turn power off and on again to do so because it is possible, that rebooting is not yet allowed.

I hope this guide helped you. I can't stress enough that you have to test all this not on an productive system! The author of this How To cannot be held responsible for malfunction of your system. You do everything on your own risk!